Skip to content

Hide Navigation Hide TOC

User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317)

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

  • Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted.
  • Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

  • Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse.
  • Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

  • Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits.
  • Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

  • Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes.
  • Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

  • Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics.
  • Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

  • Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions.
  • Use Case: Protects sensitive accounts from misuse or exploitation.

Tools for Implementation

Built-in Tools:

  • Microsoft Active Directory (AD): Centralized account management and RBAC enforcement.
  • Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

  • Okta: Centralized user provisioning, MFA, and SSO integration.
  • Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Cluster A Galaxy A Cluster B Galaxy B Level
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Disable or Modify Cloud Firewall - T1562.007 (77532a55-c283-4cd2-bc5d-2d0b65e9d88c) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Disable or Modify Cloud Logs - T1562.008 (cacc40da-4c9e-462c-80d5-fd70a178b12d) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Cloud Storage Object Discovery - T1619 (8565825b-21c8-4518-b75e-cbc4c717a156) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Cloud Service Dashboard - T1538 (e49920b0-6c54-40c1-9571-73723653205f) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Conditional Access Policies - T1556.009 (ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Create Snapshot - T1578.001 (ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Modify Cloud Resource Hierarchy - T1666 (0ce73446-8722-4086-9d43-514f1d0f669e) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
ESXi Administration Command - T1675 (31e5011f-090e-45be-9bb6-17a1c5e8219b) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Lifecycle-Triggered Deletion - T1485.001 (1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Additional Container Cluster Roles - T1098.006 (35d30338-5bfa-41b0-a170-ec06dfd75f64) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Cloud Infrastructure Discovery - T1580 (57a3d31a-d04f-4663-b2da-7df8ec3f8c9d) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Temporary Elevated Cloud Access - T1548.005 (6fa224c7-5091-4595-bf15-3fc9fe2f2c7c) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Modify Cloud Compute Configurations - T1578.005 (ca00366b-83a1-4c7b-a0ce-8ff950a7c87f) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Serverless Execution - T1648 (e848506b-8484-4410-8017-3d235a52f5b3) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern User Account Management - M1018 (93e7968a-9074-4eac-8ae9-9f5200ec3317) Course of Action 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern 2
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 2
Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
Disable or Modify Cloud Firewall - T1562.007 (77532a55-c283-4cd2-bc5d-2d0b65e9d88c) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Cloud Logs - T1562.008 (cacc40da-4c9e-462c-80d5-fd70a178b12d) Attack Pattern 2
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Executable Installer File Permissions Weakness - T1574.005 (70d81154-b187-45f9-8ec5-295d01255979) Attack Pattern 2
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Launchctl - T1569.001 (810aa4ad-61c9-49cb-993f-daa06199421d) Attack Pattern 2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Conditional Access Policies - T1556.009 (ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Create Snapshot - T1578.001 (ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335) Attack Pattern 2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 2
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern Lifecycle-Triggered Deletion - T1485.001 (1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Additional Container Cluster Roles - T1098.006 (35d30338-5bfa-41b0-a170-ec06dfd75f64) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a) Attack Pattern 2
Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern 2
Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1) Attack Pattern Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Temporary Elevated Cloud Access - T1548.005 (6fa224c7-5091-4595-bf15-3fc9fe2f2c7c) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Modify Cloud Compute Configurations - T1578.005 (ca00366b-83a1-4c7b-a0ce-8ff950a7c87f) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern 2
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Linux Audit System - T1562.012 (562e9b64-7239-493d-80f4-2bff900d9054) Attack Pattern 2